Menu
▾
▴
Re: [Opensc-devel] honoring PINPAD
|
From: Douglas E E. <dee...@gm...> - 2016-03-10 16:54:04
|
On 3/10/2016 9:23 AM, J.W...@mi... wrote: > Hi all, > > Can anybody shine some light over this? > > We finally have found some pinpad-readers that do work under Linux, with our cards and the AET-drivers. > > For instance, if I type opensc-tool –l, I can see with readers have a pinpad or not > > Also, when I do pkcs11-tool –O –l, I _/must/_ enter the pin on the reader. > > Furthermore the screen-lock (driven by pam) knows when to ask for a pin, or refer to the reader-console. > > However, openvpn simply continueus to ask for the pin on the console (or its management interface). > > I presume openvpn should have checked the reader’s capabilities, but forgot to do that… There is more work to do to use the pinpad reader. The code has to setup the template so the reader knows how to fill in the PIN. > > Secondly, as the code works with the pin on the prompt, I presume there is a switch (routine in libccid ??) that specifies IF a pinpad should be used or not? I don't think so, it really enforced by the the calling software, OpenSC, openvpn or whatever.... From a security standpoint, the card can not tell if the pin came from the pin pad reader or from the host. There maybe readers that will not accept a pin command from the host. (I don't know of any.) So if you are trying to force the user to never expose their pin to host (either on the keyboard or from a file) and always use the pin pad reader, you would need one of these readers. You would also have to force the user not to change readers! There may be issues trying to enforce this with Remote Desktop over the network. > > So you can optionally overrule the pinpad-capability??? > > Kind regards, Hans. > > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en > het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten. > > This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the > message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. > > > ------------------------------------------------------------------------------ > Transform Data into Opportunity. > Accelerate data analysis in your applications with > Intel Data Analytics Acceleration Library. > Click to learn more. > http://pubads.g.doubleclick.net/gampad/clk?id=278785111&iu=/4140 > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@gm...> |
